Restrict IPs

Overview

The Restrict IPs policy action enables you to allow or deny traffic based on the source IP of the connection that was initiated to your ngrok endpoints. You can define rules in two ways, with CIDR blocks and with identifiers to existing ngrok IP Policies.

Example

Traffic Policy for restricting, allowing, and denying certain ips.

YAML

# snippet
---
actions:
  - type: "restrict-ips"
    config:
      enforce: true
      allow:
        - "1.1.1.1/32"
      deny:
        - "e680:5791:be4c:5739:d959:7b94:6d54:d4b4/128"
      ip_policies:
        - "ipp_1yjqdrIBwgciY2I9zH2EelgBbJF"

JSON

// snippet
{
  "actions": [
    {
      "type": "restrict-ips",
      "config": {
        "enforce": true,
        "allow": [
          "1.1.1.1/32"
        ],
        "deny": [
          "e680:5791:be4c:5739:d959:7b94:6d54:d4b4/128"
        ],
        "ip_policies": [
          "ipp_1yjqdrIBwgciY2I9zH2EelgBbJF"
        ]
      }
    }
  ]
}

Request:

curl https://example.ngrok.app/api/v1

Result:

< HTTP/2 403

Behavior

This action evaluates the configured rules against the layer 4 source IP (conn.client_ip) of a connection. HTTP headers like X-Forwarded-For are never used.

A connection is allowed only if its source IP matches at least one of the allowed CIDRs and does not match any of the denied CIDRs.

The set of allowed and denied CIDRs are built from the CIDRs specified in the allow and deny fields as well as the CIDRs belonging to the ngrok IP Policies specified in the ip_policies field.

If this action denies the connection, a HTTP 403 response is returned. The upstream server is never reached. No further actions or policy rules in the policy configuration will be executed.

Reference

Supported Directions

• Inbound

Configuration

Type
restrict-ips

Parameter		Description
enforce	bool	Default true. If false, continue to the next action even if the IP is not permitted.
allow	Array<string>	A list of of CIDRs that are allowed.
deny	Array<string>	A list of of CIDRs that are denied.
ip_policies	Array<ID>	A set of IP policies identifiers that will be used to check if a source IP is allowed access.

Action Result Variables

The following variables are available following the invocation of this action.

Name	Type	Description
actions.ngrok.restrict_ips.action	string	The resulting action for this action execution. Supported values are either allow or deny.
actions.ngrok.restrict_ips.matched_cidr	string	The CIDR that matched for the incoming client ip. This may be empty.
actions.ngrok.restrict_ips.error.code	string	Code for an error that occurred during the invocation of an action.
actions.ngrok.restrict_ips.error.message	string	Message for an error that occurred during the invocation of an action.